23 files changed, 95 insertions, 64 deletions
diff --git a/src/lib/libtls/man/tls_accept_socket.3 b/src/lib/libtls/man/tls_accept_socket.3
index 931b9346ec..8922708e0f 100644
--- a/src/lib/libtls/man/tls_accept_socket.3
+++ b/src/lib/libtls/man/tls_accept_socket.3
@@ -1,4 +1,4 @@
-.\" $OpenBSD: tls_accept_socket.3,v 1.4 2018/05/26 12:35:26 schwarze Exp $
+.\" $OpenBSD: tls_accept_socket.3,v 1.5 2025/07/07 10:54:00 schwarze Exp $
 .\"
 .\" Copyright (c) 2015 Ted Unangst <tedu@openbsd.org>
 .\" Copyright (c) 2015 Joel Sing <jsing@openbsd.org>
@@ -16,7 +16,7 @@
 .\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
 .\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
 .\"
-.Dd $Mdocdate: May 26 2018 $
+.Dd $Mdocdate: July 7 2025 $
 .Dt TLS_ACCEPT_SOCKET 3
 .Os
 .Sh NAME
@@ -25,6 +25,7 @@
 .Nm tls_accept_cbs
 .Nd accept an incoming client connection in a TLS server
 .Sh SYNOPSIS
+.Lb libtls libssl libcrypto
 .In tls.h
 .Ft int
 .Fo tls_accept_socket
diff --git a/src/lib/libtls/man/tls_client.3 b/src/lib/libtls/man/tls_client.3
index 98f58d4c20..235c779519 100644
--- a/src/lib/libtls/man/tls_client.3
+++ b/src/lib/libtls/man/tls_client.3
@@ -1,4 +1,4 @@
-.\" $OpenBSD: tls_client.3,v 1.4 2017/08/12 03:41:48 jsing Exp $
+.\" $OpenBSD: tls_client.3,v 1.5 2025/07/07 10:54:00 schwarze Exp $
 .\"
 .\" Copyright (c) 2014 Ted Unangst <tedu@openbsd.org>
 .\"
@@ -14,7 +14,7 @@
 .\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
 .\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
 .\"
-.Dd $Mdocdate: August 12 2017 $
+.Dd $Mdocdate: July 7 2025 $
 .Dt TLS_CLIENT 3
 .Os
 .Sh NAME
@@ -25,6 +25,7 @@
 .Nm tls_free
 .Nd configure a TLS connection
 .Sh SYNOPSIS
+.Lb libtls libssl libcrypto
 .In tls.h
 .Ft struct tls *
 .Fn tls_client void
diff --git a/src/lib/libtls/man/tls_config_ocsp_require_stapling.3 b/src/lib/libtls/man/tls_config_ocsp_require_stapling.3
index a0694d304f..d776b61ad6 100644
--- a/src/lib/libtls/man/tls_config_ocsp_require_stapling.3
+++ b/src/lib/libtls/man/tls_config_ocsp_require_stapling.3
@@ -1,4 +1,4 @@
-.\" $OpenBSD: tls_config_ocsp_require_stapling.3,v 1.5 2017/01/31 20:53:50 jmc Exp $
+.\" $OpenBSD: tls_config_ocsp_require_stapling.3,v 1.6 2025/07/07 10:54:00 schwarze Exp $
 .\"
 .\" Copyright (c) 2016 Bob Beck <beck@openbsd.org>
 .\"
@@ -14,13 +14,14 @@
 .\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
 .\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
 .\"
-.Dd $Mdocdate: January 31 2017 $
+.Dd $Mdocdate: July 7 2025 $
 .Dt TLS_CONFIG_OCSP_REQUIRE_STAPLING 3
 .Os
 .Sh NAME
 .Nm tls_config_ocsp_require_stapling
 .Nd OCSP configuration for libtls
 .Sh SYNOPSIS
+.Lb libtls libssl libcrypto
 .In tls.h
 .Ft void
 .Fn tls_config_ocsp_require_stapling "struct tls_config *config"
diff --git a/src/lib/libtls/man/tls_config_set_protocols.3 b/src/lib/libtls/man/tls_config_set_protocols.3
index 32b8cce757..403bc10b82 100644
--- a/src/lib/libtls/man/tls_config_set_protocols.3
+++ b/src/lib/libtls/man/tls_config_set_protocols.3
@@ -1,4 +1,4 @@
-.\" $OpenBSD: tls_config_set_protocols.3,v 1.12 2023/07/02 06:37:27 beck Exp $
+.\" $OpenBSD: tls_config_set_protocols.3,v 1.13 2025/07/07 10:54:00 schwarze Exp $
 .\"
 .\" Copyright (c) 2014 Ted Unangst <tedu@openbsd.org>
 .\" Copyright (c) 2015, 2016 Joel Sing <jsing@openbsd.org>
@@ -16,7 +16,7 @@
 .\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
 .\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
 .\"
-.Dd $Mdocdate: July 2 2023 $
+.Dd $Mdocdate: July 7 2025 $
 .Dt TLS_CONFIG_SET_PROTOCOLS 3
 .Os
 .Sh NAME
@@ -26,10 +26,12 @@
 .Nm tls_config_set_ciphers ,
 .Nm tls_config_set_dheparams ,
 .Nm tls_config_set_ecdhecurves ,
+.\" .Nm tls_config_set_ecdhecurve is intentionally undocumented.
 .Nm tls_config_prefer_ciphers_client ,
 .Nm tls_config_prefer_ciphers_server
 .Nd TLS protocol and cipher selection
 .Sh SYNOPSIS
+.Lb libtls libssl libcrypto
 .In tls.h
 .Ft int
 .Fo tls_config_set_protocols
diff --git a/src/lib/libtls/man/tls_config_set_session_id.3 b/src/lib/libtls/man/tls_config_set_session_id.3
index d969e01e33..a869b3f24c 100644
--- a/src/lib/libtls/man/tls_config_set_session_id.3
+++ b/src/lib/libtls/man/tls_config_set_session_id.3
@@ -1,4 +1,4 @@
-.\" $OpenBSD: tls_config_set_session_id.3,v 1.5 2018/02/10 06:07:43 jsing Exp $
+.\" $OpenBSD: tls_config_set_session_id.3,v 1.6 2025/07/07 10:54:00 schwarze Exp $
 .\"
 .\" Copyright (c) 2017 Claudio Jeker <claudio@openbsd.org>
 .\" Copyright (c) 2018 Joel Sing <jsing@openbsd.org>
@@ -15,7 +15,7 @@
 .\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
 .\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
 .\"
-.Dd $Mdocdate: February 10 2018 $
+.Dd $Mdocdate: July 7 2025 $
 .Dt TLS_CONFIG_SET_SESSION_ID 3
 .Os
 .Sh NAME
@@ -25,6 +25,7 @@
 .Nm tls_config_add_ticket_key
 .Nd configure resuming of TLS handshakes
 .Sh SYNOPSIS
+.Lb libtls libssl libcrypto
 .In tls.h
 .Ft int
 .Fo tls_config_set_session_fd
diff --git a/src/lib/libtls/man/tls_config_verify.3 b/src/lib/libtls/man/tls_config_verify.3
index 4a43c834d7..d5b29e858e 100644
--- a/src/lib/libtls/man/tls_config_verify.3
+++ b/src/lib/libtls/man/tls_config_verify.3
@@ -1,4 +1,4 @@
-.\" $OpenBSD: tls_config_verify.3,v 1.4 2017/03/02 11:05:50 jmc Exp $
+.\" $OpenBSD: tls_config_verify.3,v 1.5 2025/07/07 10:54:00 schwarze Exp $
 .\"
 .\" Copyright (c) 2014 Ted Unangst <tedu@openbsd.org>
 .\" Copyright (c) 2015 Joel Sing <jsing@openbsd.org>
@@ -15,7 +15,7 @@
 .\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
 .\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
 .\"
-.Dd $Mdocdate: March 2 2017 $
+.Dd $Mdocdate: July 7 2025 $
 .Dt TLS_CONFIG_VERIFY 3
 .Os
 .Sh NAME
@@ -25,6 +25,7 @@
 .Nm tls_config_insecure_noverifytime
 .Nd insecure TLS configuration
 .Sh SYNOPSIS
+.Lb libtls libssl libcrypto
 .In tls.h
 .Ft void
 .Fn tls_config_verify "struct tls_config *config"
diff --git a/src/lib/libtls/man/tls_conn_version.3 b/src/lib/libtls/man/tls_conn_version.3
index 8fb30624d7..3a386cf11f 100644
--- a/src/lib/libtls/man/tls_conn_version.3
+++ b/src/lib/libtls/man/tls_conn_version.3
@@ -1,4 +1,4 @@
-.\" $OpenBSD: tls_conn_version.3,v 1.11 2024/12/10 08:42:12 tb Exp $
+.\" $OpenBSD: tls_conn_version.3,v 1.12 2025/07/07 10:54:00 schwarze Exp $
 .\"
 .\" Copyright (c) 2015 Bob Beck <beck@openbsd.org>
 .\" Copyright (c) 2016, 2018 Joel Sing <jsing@openbsd.org>
@@ -15,7 +15,7 @@
 .\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
 .\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
 .\"
-.Dd $Mdocdate: December 10 2024 $
+.Dd $Mdocdate: July 7 2025 $
 .Dt TLS_CONN_VERSION 3
 .Os
 .Sh NAME
@@ -36,6 +36,7 @@
 .Nm tls_peer_cert_notafter
 .Nd inspect an established TLS connection
 .Sh SYNOPSIS
+.Lb libtls libssl libcrypto
 .In tls.h
 .Ft const char *
 .Fn tls_conn_version "struct tls *ctx"
diff --git a/src/lib/libtls/man/tls_connect.3 b/src/lib/libtls/man/tls_connect.3
index 4c4f01c256..95a18864b2 100644
--- a/src/lib/libtls/man/tls_connect.3
+++ b/src/lib/libtls/man/tls_connect.3
@@ -1,4 +1,4 @@
-.\" $OpenBSD: tls_connect.3,v 1.4 2018/07/09 19:51:18 tb Exp $
+.\" $OpenBSD: tls_connect.3,v 1.5 2025/07/07 10:54:00 schwarze Exp $
 .\"
 .\" Copyright (c) 2014 Ted Unangst <tedu@openbsd.org>
 .\" Copyright (c) 2014, 2015 Joel Sing <jsing@openbsd.org>
@@ -16,7 +16,7 @@
 .\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
 .\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
 .\"
-.Dd $Mdocdate: July 9 2018 $
+.Dd $Mdocdate: July 7 2025 $
 .Dt TLS_CONNECT 3
 .Os
 .Sh NAME
@@ -27,6 +27,7 @@
 .Nm tls_connect_cbs
 .Nd instruct a TLS client to establish a connection
 .Sh SYNOPSIS
+.Lb libtls libssl libcrypto
 .In tls.h
 .Ft int
 .Fo tls_connect
diff --git a/src/lib/libtls/man/tls_init.3 b/src/lib/libtls/man/tls_init.3
index 557998107c..69879c04c7 100644
--- a/src/lib/libtls/man/tls_init.3
+++ b/src/lib/libtls/man/tls_init.3
@@ -1,4 +1,4 @@
-.\" $OpenBSD: tls_init.3,v 1.13 2018/07/09 19:47:20 tb Exp $
+.\" $OpenBSD: tls_init.3,v 1.14 2025/07/07 10:54:00 schwarze Exp $
 .\"
 .\" Copyright (c) 2014 Ted Unangst <tedu@openbsd.org>
 .\" Copyright (c) 2016 Joel Sing <jsing@openbsd.org>
@@ -16,7 +16,7 @@
 .\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
 .\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
 .\"
-.Dd $Mdocdate: July 9 2018 $
+.Dd $Mdocdate: July 7 2025 $
 .Dt TLS_INIT 3
 .Os
 .Sh NAME
@@ -26,6 +26,7 @@
 .Nm tls_config_error
 .Nd initialize TLS client and server API
 .Sh SYNOPSIS
+.Lb libtls libssl libcrypto
 .In tls.h
 .Ft int
 .Fn tls_init void
diff --git a/src/lib/libtls/man/tls_load_file.3 b/src/lib/libtls/man/tls_load_file.3
index cf33b575ef..33f486d530 100644
--- a/src/lib/libtls/man/tls_load_file.3
+++ b/src/lib/libtls/man/tls_load_file.3
@@ -1,4 +1,4 @@
-.\" $OpenBSD: tls_load_file.3,v 1.14 2022/01/01 02:18:28 jsg Exp $
+.\" $OpenBSD: tls_load_file.3,v 1.15 2025/07/07 10:54:00 schwarze Exp $
 .\"
 .\" Copyright (c) 2014 Ted Unangst <tedu@openbsd.org>
 .\" Copyright (c) 2015 Reyk Floeter <reyk@openbsd.org>
@@ -17,7 +17,7 @@
 .\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
 .\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
 .\"
-.Dd $Mdocdate: January 1 2022 $
+.Dd $Mdocdate: July 7 2025 $
 .Dt TLS_LOAD_FILE 3
 .Os
 .Sh NAME
@@ -49,6 +49,7 @@
 .Nm tls_default_ca_cert_file
 .Nd TLS certificate and key configuration
 .Sh SYNOPSIS
+.Lb libtls libssl libcrypto
 .In tls.h
 .Ft uint8_t *
 .Fo tls_load_file
diff --git a/src/lib/libtls/man/tls_ocsp_process_response.3 b/src/lib/libtls/man/tls_ocsp_process_response.3
index 6e3aa4aecc..e7b57a6827 100644
--- a/src/lib/libtls/man/tls_ocsp_process_response.3
+++ b/src/lib/libtls/man/tls_ocsp_process_response.3
@@ -1,4 +1,4 @@
-.\" $OpenBSD: tls_ocsp_process_response.3,v 1.6 2018/07/24 02:01:34 tb Exp $
+.\" $OpenBSD: tls_ocsp_process_response.3,v 1.7 2025/07/07 10:54:00 schwarze Exp $
 .\"
 .\" Copyright (c) 2016 Bob Beck <beck@openbsd.org>
 .\"
@@ -14,7 +14,7 @@
 .\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
 .\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
 .\"
-.Dd $Mdocdate: July 24 2018 $
+.Dd $Mdocdate: July 7 2025 $
 .Dt TLS_OCSP_PROCESS_RESPONSE 3
 .Os
 .Sh NAME
@@ -29,6 +29,7 @@
 .Nm tls_peer_ocsp_next_update
 .Nd inspect an OCSP response
 .Sh SYNOPSIS
+.Lb libtls libssl libcrypto
 .In tls.h
 .Ft int
 .Fo tls_ocsp_process_response
diff --git a/src/lib/libtls/man/tls_read.3 b/src/lib/libtls/man/tls_read.3
index f9d949eef5..f72e63cf63 100644
--- a/src/lib/libtls/man/tls_read.3
+++ b/src/lib/libtls/man/tls_read.3
@@ -1,4 +1,4 @@
-.\" $OpenBSD: tls_read.3,v 1.8 2023/09/18 17:25:15 schwarze Exp $
+.\" $OpenBSD: tls_read.3,v 1.9 2025/07/07 10:54:00 schwarze Exp $
 .\"
 .\" Copyright (c) 2014, 2015 Ted Unangst <tedu@openbsd.org>
 .\" Copyright (c) 2015 Doug Hogan <doug@openbsd.org>
@@ -18,7 +18,7 @@
 .\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
 .\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
 .\"
-.Dd $Mdocdate: September 18 2023 $
+.Dd $Mdocdate: July 7 2025 $
 .Dt TLS_READ 3
 .Os
 .Sh NAME
@@ -29,6 +29,7 @@
 .Nm tls_close
 .Nd use a TLS connection
 .Sh SYNOPSIS
+.Lb libtls libssl libcrypto
 .In tls.h
 .Ft ssize_t
 .Fo tls_read
diff --git a/src/lib/libtls/shlib_version b/src/lib/libtls/shlib_version
index 3040494c17..715847ed94 100644
--- a/src/lib/libtls/shlib_version
+++ b/src/lib/libtls/shlib_version
@@ -1,2 +1,2 @@
-major=32
+major=33
-minor=1
+minor=2
diff --git a/src/lib/libtls/tls.c b/src/lib/libtls/tls.c
index 41bb06d857..02ff337b1e 100644
--- a/src/lib/libtls/tls.c
+++ b/src/lib/libtls/tls.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: tls.c,v 1.104 2024/04/08 20:47:32 tb Exp $ */
+/* $OpenBSD: tls.c,v 1.105 2026/04/16 07:28:00 tb Exp $ */
 /*
 * Copyright (c) 2014 Joel Sing <jsing@openbsd.org>
 *
@@ -686,7 +686,7 @@ tls_configure_ssl_verify(struct tls *ctx, SSL_CTX *ssl_ctx, int verify)
                        if (xi->crl == NULL)
                                continue;
                        if (!X509_STORE_add_crl(store, xi->crl)) {
-                                tls_set_error(ctx, TLS_ERROR_UNKNOWN,
+                                tls_set_errorx(ctx, TLS_ERROR_UNKNOWN,
                                    "failed to add crl");
                                goto err;
                        }
diff --git a/src/lib/libtls/tls_client.c b/src/lib/libtls/tls_client.c
index 97e1d40210..7de9927b94 100644
--- a/src/lib/libtls/tls_client.c
+++ b/src/lib/libtls/tls_client.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: tls_client.c,v 1.51 2024/03/26 08:54:48 joshua Exp $ */
+/* $OpenBSD: tls_client.c,v 1.52 2026/04/16 07:28:00 tb Exp $ */
 /*
 * Copyright (c) 2014 Joel Sing <jsing@openbsd.org>
 *
@@ -115,7 +115,7 @@ tls_connect_servername(struct tls *ctx, const char *host, const char *port,
                        hints.ai_family = AF_UNSPEC;
                        hints.ai_flags = AI_ADDRCONFIG;
                        if ((s = getaddrinfo(h, p, &hints, &res0)) != 0) {
-                                tls_set_error(ctx, TLS_ERROR_UNKNOWN,
+                                tls_set_errorx(ctx, TLS_ERROR_UNKNOWN,
                                    "%s", gai_strerror(s));
                                goto err;
                        }
diff --git a/src/lib/libtls/tls_config.c b/src/lib/libtls/tls_config.c
index 22fa8455a1..d35c5065c5 100644
--- a/src/lib/libtls/tls_config.c
+++ b/src/lib/libtls/tls_config.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: tls_config.c,v 1.71 2024/08/02 15:00:01 tb Exp $ */
+/* $OpenBSD: tls_config.c,v 1.73 2026/04/16 07:33:11 tb Exp $ */
 /*
 * Copyright (c) 2014 Joel Sing <jsing@openbsd.org>
 *
@@ -49,7 +49,7 @@ tls_config_load_file(struct tls_error *error, const char *filetype,
        *buf = NULL;
        *len = 0;
-        if ((fd = open(filename, O_RDONLY)) == -1) {
+        if ((fd = open(filename, O_RDONLY|O_CLOEXEC)) == -1) {
                tls_error_set(error, TLS_ERROR_UNKNOWN,
                    "failed to open %s file '%s'",
                    filetype, filename);
@@ -65,7 +65,7 @@ tls_config_load_file(struct tls_error *error, const char *filetype,
                goto err;
        *len = (size_t)st.st_size;
        if ((*buf = malloc(*len)) == NULL) {
-                tls_error_set(error, TLS_ERROR_UNKNOWN,
+                tls_error_setx(error, TLS_ERROR_OUT_OF_MEMORY,
                    "failed to allocate buffer for %s file",
                    filetype);
                goto err;
diff --git a/src/lib/libtls/tls_conninfo.c b/src/lib/libtls/tls_conninfo.c
index 8fb56c92b7..5707ec6703 100644
--- a/src/lib/libtls/tls_conninfo.c
+++ b/src/lib/libtls/tls_conninfo.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: tls_conninfo.c,v 1.28 2024/12/10 08:40:30 tb Exp $ */
+/* $OpenBSD: tls_conninfo.c,v 1.29 2026/03/28 11:33:33 tb Exp $ */
 /*
 * Copyright (c) 2015 Joel Sing <jsing@openbsd.org>
 * Copyright (c) 2015 Bob Beck <beck@openbsd.org>
@@ -89,7 +89,7 @@ tls_get_peer_cert_hash(struct tls *ctx, char **hash)
 static int
 tls_get_peer_cert_issuer(struct tls *ctx,  char **issuer)
 {
-        X509_NAME *name = NULL;
+        const X509_NAME *name = NULL;
        *issuer = NULL;
        if (ctx->ssl_peer_cert == NULL)
@@ -105,7 +105,7 @@ tls_get_peer_cert_issuer(struct tls *ctx,  char **issuer)
 static int
 tls_get_peer_cert_subject(struct tls *ctx, char **subject)
 {
-        X509_NAME *name = NULL;
+        const X509_NAME *name = NULL;
        *subject = NULL;
        if (ctx->ssl_peer_cert == NULL)
diff --git a/src/lib/libtls/tls_keypair.c b/src/lib/libtls/tls_keypair.c
index ffda91df8e..b485a21ea1 100644
--- a/src/lib/libtls/tls_keypair.c
+++ b/src/lib/libtls/tls_keypair.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: tls_keypair.c,v 1.9 2024/03/26 06:24:52 joshua Exp $ */
+/* $OpenBSD: tls_keypair.c,v 1.13 2026/04/20 04:35:00 tb Exp $ */
 /*
 * Copyright (c) 2014 Joel Sing <jsing@openbsd.org>
 *
@@ -15,6 +15,8 @@
 * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
 */
+#include <limits.h>
 #include <openssl/bio.h>
 #include <openssl/err.h>
 #include <openssl/pem.h>
@@ -144,13 +146,18 @@ tls_keypair_load_cert(struct tls_keypair *keypair, struct tls_error *error,
        *cert = NULL;
        if (keypair->cert_mem == NULL) {
-                tls_error_set(error, TLS_ERROR_UNKNOWN,
+                tls_error_setx(error, TLS_ERROR_UNKNOWN,
                    "keypair has no certificate");
                goto err;
        }
+        if (keypair->cert_len > INT_MAX) {
+                tls_error_setx(error, TLS_ERROR_INVALID_ARGUMENT,
+                    "certificate too long");
+                goto err;
+        }
        if ((cert_bio = BIO_new_mem_buf(keypair->cert_mem,
            keypair->cert_len)) == NULL) {
-                tls_error_set(error, TLS_ERROR_UNKNOWN,
+                tls_error_setx(error, TLS_ERROR_UNKNOWN,
                    "failed to create certificate bio");
                goto err;
        }
@@ -158,7 +165,7 @@ tls_keypair_load_cert(struct tls_keypair *keypair, struct tls_error *error,
            NULL)) == NULL) {
                if ((ssl_err = ERR_peek_error()) != 0)
                        errstr = ERR_error_string(ssl_err, NULL);
-                tls_error_set(error, TLS_ERROR_UNKNOWN,
+                tls_error_setx(error, TLS_ERROR_UNKNOWN,
                    "failed to load certificate: %s", errstr);
                goto err;
        }
diff --git a/src/lib/libtls/tls_ocsp.c b/src/lib/libtls/tls_ocsp.c
index bfd06e3c6a..b8d855c4c8 100644
--- a/src/lib/libtls/tls_ocsp.c
+++ b/src/lib/libtls/tls_ocsp.c
@@ -1,4 +1,4 @@
-/*      $OpenBSD: tls_ocsp.c,v 1.26 2024/03/26 06:24:52 joshua Exp $ */
+/*      $OpenBSD: tls_ocsp.c,v 1.29 2026/04/16 07:35:25 tb Exp $ */
 /*
 * Copyright (c) 2015 Marko Kreen <markokr@gmail.com>
 * Copyright (c) 2016 Bob Beck <beck@openbsd.org>
@@ -85,7 +85,7 @@ tls_ocsp_fill_info(struct tls *ctx, int response_status, int cert_status,
        ctx->ocsp->ocsp_result = NULL;
        if ((info = calloc(1, sizeof (struct tls_ocsp_result))) == NULL) {
-                tls_set_error(ctx, TLS_ERROR_OUT_OF_MEMORY, "out of memory");
+                tls_set_errorx(ctx, TLS_ERROR_OUT_OF_MEMORY, "out of memory");
                return -1;
        }
        info->response_status = response_status;
@@ -102,19 +102,19 @@ tls_ocsp_fill_info(struct tls *ctx, int response_status, int cert_status,
        info->revocation_time = info->this_update = info->next_update = -1;
        if (revtime != NULL &&
            tls_ocsp_asn1_parse_time(ctx, revtime, &info->revocation_time) != 0) {
-                tls_set_error(ctx, TLS_ERROR_UNKNOWN,
+                tls_set_errorx(ctx, TLS_ERROR_UNKNOWN,
                    "unable to parse revocation time in OCSP reply");
                goto err;
        }
        if (thisupd != NULL &&
            tls_ocsp_asn1_parse_time(ctx, thisupd, &info->this_update) != 0) {
-                tls_set_error(ctx, TLS_ERROR_UNKNOWN,
+                tls_set_errorx(ctx, TLS_ERROR_UNKNOWN,
                    "unable to parse this update time in OCSP reply");
                goto err;
        }
        if (nextupd != NULL &&
            tls_ocsp_asn1_parse_time(ctx, nextupd, &info->next_update) != 0) {
-                tls_set_error(ctx, TLS_ERROR_UNKNOWN,
+                tls_set_errorx(ctx, TLS_ERROR_UNKNOWN,
                    "unable to parse next update time in OCSP reply");
                goto err;
        }
@@ -130,7 +130,7 @@ static OCSP_CERTID *
 tls_ocsp_get_certid(X509 *main_cert, STACK_OF(X509) *extra_certs,
    SSL_CTX *ssl_ctx)
 {
-        X509_NAME *issuer_name;
+        const X509_NAME *issuer_name;
        X509 *issuer;
        X509_STORE_CTX *storectx = NULL;
        X509_OBJECT *obj = NULL;
@@ -141,7 +141,8 @@ tls_ocsp_get_certid(X509 *main_cert, STACK_OF(X509) *extra_certs,
                goto out;
        if (extra_certs != NULL) {
-                issuer = X509_find_by_subject(extra_certs, issuer_name);
+                issuer = X509_find_by_subject(extra_certs,
+                    (X509_NAME *)issuer_name);
                if (issuer != NULL) {
                        cid = OCSP_cert_to_id(NULL, main_cert, issuer);
                        goto out;
@@ -155,7 +156,7 @@ tls_ocsp_get_certid(X509 *main_cert, STACK_OF(X509) *extra_certs,
        if (X509_STORE_CTX_init(storectx, store, main_cert, extra_certs) != 1)
                goto out;
        if ((obj = X509_STORE_CTX_get_obj_by_subject(storectx, X509_LU_X509,
-            issuer_name)) == NULL)
+            (X509_NAME *)issuer_name)) == NULL)
                goto out;
        cid = OCSP_cert_to_id(NULL, main_cert, X509_OBJECT_get0_X509(obj));
@@ -304,7 +305,7 @@ tls_ocsp_process_response_internal(struct tls *ctx, const unsigned char *respons
        if (resp == NULL) {
                tls_ocsp_free(ctx->ocsp);
                ctx->ocsp = NULL;
-                tls_set_error(ctx, TLS_ERROR_UNKNOWN,
+                tls_set_errorx(ctx, TLS_ERROR_UNKNOWN,
                    "unable to parse OCSP response");
                return -1;
        }
diff --git a/src/lib/libtls/tls_server.c b/src/lib/libtls/tls_server.c
index a94b4221ed..570020d6a2 100644
--- a/src/lib/libtls/tls_server.c
+++ b/src/lib/libtls/tls_server.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: tls_server.c,v 1.51 2024/03/26 08:54:48 joshua Exp $ */
+/* $OpenBSD: tls_server.c,v 1.53 2026/04/16 07:28:00 tb Exp $ */
 /*
 * Copyright (c) 2014 Joel Sing <jsing@openbsd.org>
 *
@@ -75,7 +75,7 @@ tls_server_alpn_cb(SSL *ssl, const unsigned char **out, unsigned char *outlen,
            OPENSSL_NPN_NEGOTIATED)
                return (SSL_TLSEXT_ERR_OK);
-        return (SSL_TLSEXT_ERR_NOACK);
+        return (SSL_TLSEXT_ERR_ALERT_FATAL);
 }
 static int
@@ -242,12 +242,12 @@ tls_configure_server_ssl(struct tls *ctx, SSL_CTX **ssl_ctx,
        if (SSL_CTX_set_tlsext_servername_callback(*ssl_ctx,
            tls_servername_cb) != 1) {
-                tls_set_error(ctx, TLS_ERROR_UNKNOWN,
+                tls_set_errorx(ctx, TLS_ERROR_UNKNOWN,
                    "failed to set servername callback");
                goto err;
        }
        if (SSL_CTX_set_tlsext_servername_arg(*ssl_ctx, ctx) != 1) {
-                tls_set_error(ctx, TLS_ERROR_UNKNOWN,
+                tls_set_errorx(ctx, TLS_ERROR_UNKNOWN,
                    "failed to set servername callback arg");
                goto err;
        }
@@ -298,7 +298,7 @@ tls_configure_server_ssl(struct tls *ctx, SSL_CTX **ssl_ctx,
                SSL_CTX_clear_options(*ssl_ctx, SSL_OP_NO_TICKET);
                if (!SSL_CTX_set_tlsext_ticket_key_cb(*ssl_ctx,
                    tls_server_ticket_cb)) {
-                        tls_set_error(ctx, TLS_ERROR_UNKNOWN,
+                        tls_set_errorx(ctx, TLS_ERROR_UNKNOWN,
                            "failed to set the TLS ticket callback");
                        goto err;
                }
@@ -306,7 +306,7 @@ tls_configure_server_ssl(struct tls *ctx, SSL_CTX **ssl_ctx,
        if (SSL_CTX_set_session_id_context(*ssl_ctx, ctx->config->session_id,
            sizeof(ctx->config->session_id)) != 1) {
-                tls_set_error(ctx, TLS_ERROR_UNKNOWN,
+                tls_set_errorx(ctx, TLS_ERROR_UNKNOWN,
                    "failed to set session id context");
                goto err;
        }
diff --git a/src/lib/libtls/tls_signer.c b/src/lib/libtls/tls_signer.c
index 2573803ec1..2d6635460e 100644
--- a/src/lib/libtls/tls_signer.c
+++ b/src/lib/libtls/tls_signer.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: tls_signer.c,v 1.13 2024/06/11 16:35:24 op Exp $ */
+/* $OpenBSD: tls_signer.c,v 1.15 2026/04/16 07:35:25 tb Exp $ */
 /*
 * Copyright (c) 2021 Eric Faurot <eric@openbsd.org>
 *
@@ -99,6 +99,11 @@ tls_signer_add_keypair_mem(struct tls_signer *signer, const uint8_t *cert,
        char *hash = NULL;
        /* Compute certificate hash */
+        if (cert_len > INT_MAX) {
+                tls_error_setx(&signer->error, TLS_ERROR_INVALID_ARGUMENT,
+                    "certificate too long");
+                goto err;
+        }
        if ((bio = BIO_new_mem_buf(cert, cert_len)) == NULL) {
                tls_error_setx(&signer->error, TLS_ERROR_UNKNOWN,
                    "failed to create certificate bio");
@@ -124,6 +129,11 @@ tls_signer_add_keypair_mem(struct tls_signer *signer, const uint8_t *cert,
        bio = NULL;
        /* Read private key */
+        if (key_len > INT_MAX) {
+                tls_error_setx(&signer->error, TLS_ERROR_INVALID_ARGUMENT,
+                    "private key too long");
+                goto err;
+        }
        if ((bio = BIO_new_mem_buf(key, key_len)) == NULL) {
                tls_error_setx(&signer->error, TLS_ERROR_UNKNOWN,
                    "failed to create key bio");
@@ -137,7 +147,7 @@ tls_signer_add_keypair_mem(struct tls_signer *signer, const uint8_t *cert,
        }
        if ((skey = calloc(1, sizeof(*skey))) == NULL) {
-                tls_error_set(&signer->error, TLS_ERROR_OUT_OF_MEMORY,
+                tls_error_setx(&signer->error, TLS_ERROR_OUT_OF_MEMORY,
                    "out of memory");
                goto err;
        }
@@ -223,7 +233,7 @@ tls_sign_rsa(struct tls_signer *signer, struct tls_signer_key *skey,
                return (-1);
        }
        if ((signature = calloc(1, rsa_size)) == NULL) {
-                tls_error_set(&signer->error, TLS_ERROR_OUT_OF_MEMORY,
+                tls_error_setx(&signer->error, TLS_ERROR_OUT_OF_MEMORY,
                    "out of memory");
                return (-1);
        }
@@ -271,7 +281,7 @@ tls_sign_ecdsa(struct tls_signer *signer, struct tls_signer_key *skey,
                return (-1);
        }
        if ((signature = calloc(1, signature_len)) == NULL) {
-                tls_error_set(&signer->error, TLS_ERROR_OUT_OF_MEMORY,
+                tls_error_setx(&signer->error, TLS_ERROR_OUT_OF_MEMORY,
                    "out of memory");
                return (-1);
        }
diff --git a/src/lib/libtls/tls_util.c b/src/lib/libtls/tls_util.c
index b276d2cfa7..d93efb830d 100644
--- a/src/lib/libtls/tls_util.c
+++ b/src/lib/libtls/tls_util.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: tls_util.c,v 1.16 2023/05/14 07:26:25 op Exp $ */
+/* $OpenBSD: tls_util.c,v 1.17 2026/03/10 05:26:04 deraadt Exp $ */
 /*
 * Copyright (c) 2014 Joel Sing <jsing@openbsd.org>
 * Copyright (c) 2014 Ted Unangst <tedu@openbsd.org>
@@ -162,7 +162,7 @@ tls_load_file(const char *name, size_t *len, char *password)
        *len = 0;
-        if ((fd = open(name, O_RDONLY)) == -1)
+        if ((fd = open(name, O_RDONLY|O_CLOEXEC)) == -1)
                return (NULL);
        /* Just load the file into memory without decryption */
diff --git a/src/lib/libtls/tls_verify.c b/src/lib/libtls/tls_verify.c
index 2935278383..de95ab8117 100644
--- a/src/lib/libtls/tls_verify.c
+++ b/src/lib/libtls/tls_verify.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: tls_verify.c,v 1.32 2024/12/10 08:40:30 tb Exp $ */
+/* $OpenBSD: tls_verify.c,v 1.33 2026/03/28 11:33:33 tb Exp $ */
 /*
 * Copyright (c) 2014 Jeremie Courreges-Anglas <jca@openbsd.org>
 *
@@ -214,10 +214,10 @@ tls_get_common_name_internal(X509 *cert, char **out_common_name,
    unsigned int *out_tlserr, const char **out_errstr)
 {
        unsigned char *utf8_bytes = NULL;
-        X509_NAME *subject_name;
+        const X509_NAME *subject_name;
        char *common_name = NULL;
        int common_name_len;
-        ASN1_STRING *data;
+        const ASN1_STRING *data;
        int lastpos = -1;
        int rv = -1;